What's Next: They've Got Your Number

"Trust me, I'm from the government." It's an old joke, but one that certainly applies to the problem of identity theft, where the government may be making many Americans more vulnerable, not less.

This is crime just waiting to happen on a massive scale, thanks to computer technology. Identity theft is generally a pretty low-tech crime. The bad guys steal your mail or go through your trash, coming up with enough personal information to apply for bank accounts, credit cards, and loans with your name and credit rating but with their mailing address. They can even ap- propriate your existing accounts. All they require is your name, address, date of birth, and Social Security number. Before you know it the crooks have bought goods, bounced checks, and drained your bank accounts.

The single greatest deterrent to identity theft is probably a paper shredder. Get one and use it for anything you throw away that contains personal information.

It is very difficult to measure the cost of identity theft. The U.S. General Accounting Office tried to come up with a figure for a 2002 report and finally concluded that it simply could not be done with any precision. Many identity thefts aren't even noticed, for one thing. What's that $30 charge on your credit card bill? Oh, well....Even many identity thefts that are noticed aren't reported, and when they are reported it is often to different federal, state, and local agencies that don't necessarily speak with one another.

What we do know is that there are somewhere between 250,000 and 750,000 identity theft victims every year. Many cases are small, but the U.S. Secret Service reported in one year investigating more than 7,000 cases with an average cost to victims and financial institutions of $217,000, or a total cost of about $1.5 billion. The American Banking Association reports identity fraud losses to its members of around $1 billion per year, and credit card companies absorb around $1.5 billion per year in such fraud losses. Then there is the cost of fighting the problem, which ranges from $15,000 per case for the Secret Service to the average 175 man-hours that consumer counseling organizations report it takes victims to deal with the paperwork of restoring their financial lives to order.

So the cost to society of identity theft is in the range of $4 billion to $5 billion per year and may be even higher. This from a cottage industry relying primarily on techniques like Dumpster diving. What if identity thieves found a way to automate their crimes using computers? Then it would get far worse, which is what this column is about.

The term "computer crime" was coined during the Mainframe Age, and the perceived threat then was from employees who might program bank or company computers to conduct millions of tiny thefts, grabbing a penny here and there and accumulating millions of dollars over time. It would be an inside job involving vast sums, but done so skillfully that nobody would even notice. But it really didn't happen very often. When computer crime finally became a reality in the 1990s it was the Internet Age and the criminals weren't, for the most part, company employees -- they were kids with bad attitudes and too much time on their hands. Their crime wasn't theft but vandalism; their viruses, worms, and automated attacks on computer systems led to loss of data worth billions. That's one of the oddities of this kind of computer crime: Money isn't stolen, it's destroyed.

Crossing identity theft and computer crime requires gaining access to personal identity data on thousands or hundreds of thousands of people at one time, then using that data on a mass scale to apply for credit cards and bank accounts online. Crunching the data for all those credit card applications is the easy part once you've written a program to do it. What's hard is finding the personal identity information needed to drive the process, and that's where the government, all too often, plays a role.

It's that damned Social Security number, which is so useful as a universal identifier that it becomes a part of almost every database at all levels of government. If you are a bad guy, then the trick is gaining access to those databases, which ought to be difficult but isn't. Most states include Social Security numbers in their voter-registration databases, nearly all of which are open to the public and many of which are searchable online. Now, searching for your Uncle Bernie's name and grabbing 100,000 voter records are very different things, so trying to gather mass data for identity theft using your AOL account would probably be noticed. But, some states will sell you the data on CD-ROMs that you can take home and search as intensively as you like. These CDs are typically intended for politicians to use for generating mailing lists but could obviously be used for a far darker purpose.

Of course, you could probably do the same thing with medical, educational, or insurance records, but then there is the problem of gaining access. Public records are better if you want to be a crook -- that's because the Freedom of Information Act makes them completely available. Government agencies are doing their pitiful best to keep this kind of data hidden (a GAO study last year found that 14 of 15 federal agencies studied were protecting Social Security numbers inadequately), but the danger persists. That's because Social Security numbers last a lifetime and a lot of old data is floating around, data that can be brought up-to-date with frightening ease.

If identity thieves are able to automate their crimes using computers, things will get far worse.

Here is the part where I have to slow down a bit, because it would be very easy to explain exactly how to steal a whole lot of money. I want to publicize a problem that should be fixed, but I don't want to tempt anyone to break the law. So I'll just say that there is a federal agency that used to use Social Security numbers as individual record identifiers for a large database of names and addresses -- a policy it changed quite recently. When it stopped using Social Security numbers for new records, this agency didn't immediately go back and assign new numbers to its almost 600,000 old database entries. The old Social Security numbers are still there. Fortunately, they are no longer reported on the $30 CD-ROM version of the database that the agency sells to all comers. Nor is the all-important date of birth in the public record anymore. Problem solved, right? Wrong.

There are thousands of old CDs in circulation, most of them probably missing some part of the information an identity theft requires. Given that some of these database entries linger for decades (for example, mine is more than 30 years old) and neither Social Security numbers nor dates of birth ought to change over time, it should be simple to reconstruct the missing data. Just take an old CD and a new one and examine any entries that span both disks. I just did it myself. Really. I borrowed a version of the 1998 data CD from that government agency and used my computer to mix that old data with the more limited data from the current CD. Sure enough, in less than an hour I had updated names, addresses, Social Security numbers, and dates of birth for the more than 300,000 entries that appeared across both CDs.

What I produced in that hour was all the information that was required to steal the identities of 300,000 people, most of whom would be considered to have high net worth. If I were a real criminal, I could have used this data to apply online for credit cards and bank accounts, and to order credit reports that list where the victims do their banking so I could loot those accounts, too. Before anyone noticed, I could have grabbed that Secret Service equivalent of $217,000 per victim for a total take of $65 billion, which certainly beats my day job.

This sort of crime will eventually happen. The take may not be $65 billion, but it will be in the billions. Once what has happened sinks in, the financial world will never be the same -- yet another shred of innocence torn away. And government will likely respond with new laws that won't work and with a profound lack of understanding of its own role in the tragedy.

There is a logical result of the need to identify people while protecting identities, and that is some form of national identity database, probably linked to a method of identity verification. (I anticipate something involving biometrics; remember the talk about iris cameras?) A lot of people don't like the sound of the words "National ID Card," but between terrorism and identity theft, some absolute way of verifying identity is bound to come.

Contributor Robert X. Cringely is a writer, broadcaster, and entrepreneur specializing in technology. Contact him at cringely@inc.com.